Continuous ATO – Worth the Effort
Thanks to FISMA, compliance and security professionals have a long and checkered history with the letters ATO. Whether you’re part of a federal government agency, an external partner, or a vendor looking to serve the federal market, a valid Authority (or Authorization) to Operate continues to determine when your technology can be used.
The traditional ATO process is tedious, time-consuming, and inefficient but it serves a valuable purpose – managing risk in the agency’s technology environment by evaluating security and compliance controls. Unfortunately, we all know that traditional ATO relies on a snapshot in time which is often outdated by the time the process is completed.
Continuous ATO (cATO) is designed to remedy the time lag issue and also streamline the ATO process. The momentum around cATO is a good indicator that we may finally have something better than ATO, but there are plenty of Information Security Systems Officers (ISSO) still trying to gauge whether it’s worth pursuing. That answer is YES, but let’s talk a bit more about cATO before getting into its benefits.
Shift left isn’t just for software developers, it’s a mindset. Addressing something like security or compliance earlier in a process gives you more time and opportunity to resolve issues at a lower cost and with fewer implications for your most critical deadlines – whether it’s DevSecOps trying to release a new version on time or a compliance team being ready for an audit in enough time to make sure your certification doesn’t lapse.
The Department of Defense (DoD) explicitly calls for speed, agility, and improved security – not always features of traditional ATOs! – in the development and operation of their environments, platforms, and cloud solutions. Sounds a lot like a shift left mentality. Effective cATO brings shift left to life inside the federal government.
DoD’s three primary evaluation criteria for cATO are continuous monitoring or ConMon, an active cyber defense, and a secure software supply chain. It’s pretty clear that one of these carries more weight. From the DoD’s public use case1:
“However, the key to receiving a cATO is having a robust continuous monitoring strategy that includes automated triggers based on approved thresholds within the auditing and incident response plans.”
Continuous monitoring enables cATO. The right solution gives security and compliance teams a clear look at their technical controls at any time they desire. Adding automation, as found in continuous cyber compliance automation technology for example, delivers evidence collection, artifact development, and report creation on a regular cadence. Connecting all relevant systems within the scope, even if some are in the cloud and others in datacenters, presents ISSOs and other key stakeholders with a clear picture of their environment at any time.
As an added bonus, you’ve now got the foundations for your ATO in a fraction of the time. By building this self-sustaining model and maintaining your cATO, your security and compliance teams can spend less time doing the manual, low-value tasks that traditional ATO requires, and you can focus them more on supporting your mission.